{
	"id": "1abb3da4-ab5a-4dd8-9f79-7da44f6371e6",
	"created_at": "2026-04-06T00:21:57.833352Z",
	"updated_at": "2026-04-10T03:28:20.660307Z",
	"deleted_at": null,
	"sha1_hash": "27e41b695d7a8166327a153fa19a40042db66a3e",
	"title": "Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62086,
	"plain_text": "Harvester: Nation-State-Backed Group Uses New Toolset to Target\r\nVictims in South Asia\r\nBy About the Author\r\nArchived: 2026-04-05 16:56:09 UTC\r\nA previously unseen actor, likely nation-state-backed, is targeting organizations in South Asia, with a focus on\r\nAfghanistan, in what appears to be an information-stealing campaign using a new toolset.\r\nThe Harvester group uses both custom malware and publicly available tools in its attacks, which began in June\r\n2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications,\r\ngovernment, and information technology (IT). The capabilities of the tools, their custom development, and the\r\nvictims targeted, all suggest that Harvester is a nation-state-backed actor.\r\nNew toolset deployed\r\nThe most notable thing about this campaign is the previously unseen toolset deployed by the attackers.\r\nThe attackers deployed a custom backdoor called Backdoor.Graphon on victim machines alongside other\r\ndownloaders and screenshot tools that provided the attackers with remote access and allowed them to spy on user\r\nactivities and exfiltrate information.\r\nWe do not know the initial infection vector that Harvester used to compromise victim networks, but the first\r\nevidence we found of Harvester activity on victim machines was a malicious URL. The group then started to\r\ndeploy various tools, including its custom Graphon backdoor, to gain remote access to the network. The group also\r\ntried to blend its activity in with legitimate network traffic by leveraging legitimate CloudFront and Microsoft\r\ninfrastructure for its command and control (C\u0026C) activity.\r\nTools used:\r\nBackdoor.Graphon - custom backdoor that uses Microsoft infrastructure for its C\u0026C activity\r\nCustom Downloader - uses Microsoft infrastructure for its C\u0026C activity\r\nCustom Screenshotter - periodically logs screenshots to a file\r\nCobalt Strike Beacon - uses CloudFront infrastructure for its C\u0026C activity (Cobalt Strike is an off-the-shelf\r\ntool that can be used to execute commands, inject other processes, elevate current processes, or\r\nimpersonate other processes, and upload and download files)\r\nMetasploit - an off-the-shelf modular framework that can be used for a variety of malicious purposes on\r\nvictim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.\r\nThe custom downloader used by the attackers leverages the Costura Assembly Loader. Once on a victim machine,\r\nit checks if the following file exists:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia\r\nPage 1 of 4\n\n[ARTEFACTS_FOLDER]\\winser.dll\r\n If the file does not exist it downloads a copy from the following URL:\r\nhxxps://outportal[.]azurewebsites.net/api/Values_V2/Getting3210\r\nNext, the sample creates the following file if it does not exist:\r\n\"[ARTEFACTS_FOLDER]\\Microsoft Services[.]vbs\"\r\nThen it sets the following registry value to create a loadpoint:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\"MicrosoftSystemServices\"\r\n= \"[ARTEFACTS_FOLDER]\\Microsoft Services[.]vbs\"\r\nFinally it opens an embedded web browser within its own UI using the following URL:\r\nhxxps://usedust[.]com\r\nWhile it initially appeared that this URL may have been a loadpoint for Backdoor.Graphon, upon further\r\ninvestigation it appears to be a decoy to confuse any affected users.\r\nBackdoor.Graphon is compiled as a .NET PE DLL with export “Main” and the following PDB file name:\r\nD:\\OfficeProjects\\Updated Working Due to Submission\\4.5\\Outlook_4.5\\Outlook 4.5.2 32 bit New without\r\npresistancy\\NPServices\\bin\\x86\\Debug\\NPServices[.]pdb\r\nWhen this is executed, it attempts to communicate with the attackers’ C\u0026C servers, which are hosted on Microsoft\r\ninfrastructure.\r\nhxxps://microsoftmsdn[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=\r\n[INFECTION_ID]\r\nhxxps://microsoftsgraphapi[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=\r\n[INFECTION_ID]\r\nhxxps://msdnmicrosoft.azurewebsites[.]net/api/Values_V1/AuthAsyncComplete_V1?Identity=\r\n[INFECTION_ID]\r\nThe attackers then run commands to control their input stream and capture the output and error streams. They also\r\nperiodically send GET requests to the C\u0026C server, with the content of any returned messages extracted and then\r\ndeleted.\r\nData that cmd.exe pulled from the output and error streams is encrypted and sent back to the attackers’ servers.\r\nThe custom screenshot tool was also packed with the Costura Assembly Loader. The screenshot tool takes photos\r\nthat it saves to a password-protected ZIP archive for exfiltration, with all archives older than a week deleted. \r\nOngoing activity\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia\r\nPage 2 of 4\n\nWhile we do not have enough evidence yet to attribute Harvester’s activity to a specific nation state, the group’s\r\nuse of custom backdoors, the extensive steps taken to hide its malicious activity, and its targeting all point to it\r\nbeing a state-sponsored actor. Harvester’s use of legitimate infrastructure to host its C\u0026C servers in order to blend\r\nin with normal network traffic is one example of the stealthy steps taken by this actor.\r\nThe targeting of organizations in Afghanistan in this campaign is also interesting given the huge upheaval seen in\r\nthat country recently. The activity carried out by Harvester makes it clear the purpose of this campaign is\r\nespionage, which is the typical motivation behind nation-state-backed activity.\r\nThat Harvester’s most recent activity was seen earlier this month means that organizations in the sectors and\r\ngeographies mentioned should be alert to the malicious activity outlined in this blog.\r\nProtection\r\nFile based:\r\nBackdoor.Graphon\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\n0740cc87a7d028ad45a3d54540b91c4d90b6fc54d83bb01842cf23348b25bc42\r\n303f93cc47c58e64665f9e447ac11efe5b83f0cfe4253f3ff62dd7504ee935e0\r\n3c34c23aef8934651937c31be7420d2fc8a22ca260f5afdda0f08f4d3730ae59\r\n3c8fa5cc50eb678d9353c9f94430eeaa74b36270c13ba094dc5c124259f0dc31\r\n470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3\r\n691e170c5e42dd7d488b9d47396b633a981640f8ab890032246bf37704d4d865\r\na4935e31150a9d6cd00c5a69b40496fea0e6b49bf76f123ea34c3b7ea6f86ce6\r\nc4b6d7e88a63945f3e0768657e299d2d3a4087266b4fc6b1498e2435e311f5d1\r\ncb5e40c6702e8fe9aa64405afe462b76e6fe9479196bb58118ee42aba0641c04\r\nd84a9f7b1d70d83bd3519c4f2c108af93b307e8f7457e72e61f3fa7eb03a5f0d\r\nf4a77e9970d53fe7467bdd963e8d1ce44a2d74e3e4262cd55bb67e7b3001c989\r\nURL\r\nhxxps://perfect-couple.com/perfectcouple[.]exe – sample was downloaded from this address\r\nBLOG UPDATED 2.45pm, October 18, 2021: Minor updates made for clarity\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia\r\nPage 3 of 4\n\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia"
	],
	"report_names": [
		"harvester-new-apt-attacks-asia"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434917,
	"ts_updated_at": 1775791700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27e41b695d7a8166327a153fa19a40042db66a3e.pdf",
		"text": "https://archive.orkl.eu/27e41b695d7a8166327a153fa19a40042db66a3e.txt",
		"img": "https://archive.orkl.eu/27e41b695d7a8166327a153fa19a40042db66a3e.jpg"
	}
}